ExpressWay
Contents
Intro
Finally did a machine which didn't have a webapp hosted on it, it was a breath of fresh air haha. Good luck to anyone else trying to do this box!
User
sudo nmap -sC -sV 10.129.238.52 22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Starting off with nmap, we can see that there's only a single port open, which is SSH on port 22, which doesn't help a whole lot - attacks on SSH directly are far and few between. We can, however,
run a UDP scan with -sU to check for services running over UDP.
sudo nmap -sU -sV 10.129.238.52 500/udp open isakmp
Port 500 is running a key exchange protocol, which gives us an opening:
sudo ike-scan -A -P hash.txt 10.129.238.52
[email protected]
Warning
Running without -A would have hid ike and the PSK hash, doing it with in aggressive mode results in an unencrypted attack however.With this scan, we found a user on our target machine, alongside a pre-shared key's hash, which we can decrypt with hashcat:
hashcat hash.txt /usr/share/wordlists/rockyou.txt
This gives us ike's password, freakingrockstarontheroad, which then lets us SSH onto the machine.
Root
After running linpeas.sh, I noticed right off the bat how the version of sudo is outdated (1.9.17) - this is a known CVE (CVE-2025-32463) with a PoC we can exploit.
- sudo enters --chroot directory before checking permissions
- Process looks for etc/nsswitch.conf inside wrong folder which points to a shared library we made
- sudo executes .so file with root privileges
This allows us to get root flag without any hassle!